Sponsored Supplement March 2011 - The growing fraud threat and how to fight it

(Page 3 of 5)

As part of the movement by the card companies to eliminate the storage of credit card data by merchants, providers of fraud-prevention services are pushing tokenization. Tokenization is a method by which account data for credit cards used to make an online purchases are stored in a secure server by the merchant's acquiring bank or gateway provider.

Each time the merchant submits a card authorization request, a token is created using unique identification symbols that retain all the essential account information and is returned to the merchant. With no actual card account data stored on the merchant's server, it reduces the merchant's liability if its server is hacked.

The same is true if a hacker breaks in to an acquiring bank's database. "The advantage of tokenization is that even if the token is hacked, it cannot be used to make a purchase because all but the last four digits of the card number have been encrypted," says Retail Decision's Clump. "The acquirer can link the encrypted data back to the actual card account, but the hacker can't."

In addition to providing tokenization, Retail Decisions offers ReD Shield, a fraud-detection service hosted by ReD that uses analytics, rules, neural network technology and pooled data to identify all the components of a fraudulent transaction and the relationships among those components across multiple merchant categories, then assembles them in real time. This allows retailers to flag and review a suspect transaction before making a decision whether to accept it, request more information from the consumer or reject the transaction.

As part of its efforts to keep actual credit card account data from passing through a merchant's web site, Litle & Co. has created a merchant-branded checkout page. The page communicates directly with the consumer's web browser. After the consumer enters his card data, his web browser sends it directly to Litle & Co.'s secure server where it is tokenized. Once the data is tokenized, the tokenÑan alphanumeric code that includes only the last four digits of the card numberÑis returned to the consumer's web browser, which inserts the token in the field on the checkout page that requests the card number.

"The flow of card information completely bypasses the retailer's web site so the retailer never touches it, which reduces their risk," explains Osman Perksoy, principal product manager for Litle & Co.'s Litle Vault application. "Using this method, the merchant does not have to interact with us using sensitive cardholder data, which closes another door to card data-related fraud."

Besides encrypting cardholder data, merchants need to identify the device being used to access their web sites. Device fingerprinting, a technique that tracks the signal emitted by the operating system running on a mobile device, tablet, laptop or desktop computer, is playing a growing role in fraud detection.

Retailers can also identify a device through a cookie, which is a small text file containing a unique identification tag. Retailers routinely attach cookies to the devices used to visit their sites to identify customers when they return and more accurately track their viewing and purchasing habits.

Once the device being used to access the retailer's site has been identified, it can be cross-referenced against a database of transactions linked to the device. "Some devices may be linked to multiple credit cards, mailing addresses, e-mail addresses or chargebacks, which can be a red flag," says Chase Paymentech's Nadeau. "Device fingerprinting is an important part of fraud prevention because it gets retailers away from relying primarily on whether the card account is valid or has been stolen."

Chase Paymentech, which says it processes about half of all online transactions, provides merchants with such fraud-prevention services as database aggregation and tokenization. Chase Paymentech can authorize transactions in more than 130 currencies and provide retailers with credit cards, debit cards, prepaid stored value cards and electronic check processing.

In addition to identifying an access device from the signal emitted by its operating system or a tracking cookie, fraud-detection providers can help merchants spot another red flag: that the user of the access device has turned off such applications as Flash and JavaScript, which are critical to properly rendering a web page.

"Flash and JavaScript emit identification signals and if they are turned off it is an indication that the access device being used may be in the hands of a fraudster," says Kount's Rouse. "Criminals tend to turn off these applications to make it harder to identify and geolocate the access device they are using. It is another speed bump to slow down the device-identification process."

Speed limits

One risk associated with linking the number or transactions to a specific access device or credit card is that the information can be dated, which limits a merchant's ability to properly interpret the data. It is recommended that merchants use real-time, aggregated databases capable of linking order histories to a specific device or credit card across a broad base of merchants. By doing so, retailers can more accurately check whether a particular credit card is being used at an unusually high rate.

"A lot of criminals will use computer programs to simultaneously make purchases from multiple merchants using a single card or device," explains Rouse. "Relying on static databases, even though they may use aggregate data, only shows a history of the card or device in question, not the extent of its activity in real time. Without a real-time window into card or device activity retailers can be lulled into a false sense of security."